iptables mark qos

(already postet in comp.os.linux.security)

hi all

i really reach my limits with the following task:
os: debian
program: iptables + brigde
goal: transparent bridge with traffic-shaping

this sounds not so complicated at the first glance, but...
i got a computer with 4 nics (3 of them are used for the bridge, 1 for
administration). the firewall will be placed between router and LAN,
but with 2 servers between. the traffic should be classified by the
following points:
1. dst/src: there are severeal ip-ranges with no bandwithlimits, this
means the traffic should be forwarded without further checking,
including LAN and the two servers.
2. all other traffic should be shaped by application
(layer7-extension).

i tried to mark the packets in the mangle table (PREROUTING or
filter). but i am really confused... marking the packets (e.g. HTTP)
doesn't work, because it will mark every packet without checking for
dst/src. marking packets by dst/src will not work, because they are
not correctly marked for the traffic-shaper.
any ideas (in the case you understand my problem)? the problem (i
assume) is, that i cannot use a userspecified target in the mangle
table and i cannot use the mark target in filter table.

regards
moritz


moritz gartenmeister